Package: didiwiki
Version: 0.5-11+deb8u1
Severity: important
In its attempt to prevent escape from /var/lib/didiwiki, patch
91_check_page_path.patch goes way too far and renders a large class of
reasonable and previously valid page names inaccessible.
The main culprit is the check for isalnum(page_name[0]): this is painful
for CJK users since Chinese characters aren't alphanumeric. More generally,
it's unlikely to work as intended with UTF8-encoded names; e.g. page names
that start with รก (which is alphanumeric in some locales) are rejected.
I guess the intent was to exclude absolute pathnames. That's more
properly coded
if (page_name[0] == '/')
return FALSE;
The checks are done after %-escapes are processed, so there is no need to
separately guard against a leading %2F .
(Also, I'd only disallow ".." if it's preceded and followed by either a
slash or an extremity of the string. No need to forbid ellipsis in
page names...)
